4. Mitigating Risk
Legal persons and arrangements are an important part of LFIs’ customer base and of economic activity in the UAE. However, legal persons and arrangements create real, and diverse, risks for financial institutions. LFIs are not expected to prohibit legal person and arrangement customers. Instead, they must understand, manage, and mitigate the risk through the appropriate application of preventive measures required under AML-CFT Decision and CBUAE directives and guidance documents.
This section describes LFIs’ obligations under UAE Law with specific reference to legal persons and arrangements. It is not a comprehensive discussion of all requirements imposed on LFIs. LFIs should consult the Laws and regulations including AML-CFT Decision and the CBUAE’s Anti-Money Laundering the Combating the Financing of Terrorism and Illegal Organizations Guidelines. The controls discussed below must be integrated into the LFI’s larger AML/CFT compliance program, and supported with appropriate governance and training.
4.1. Requirements for Legal Person and Arrangement Customers Under AML-CFT Decision
Under Article 8(b) of AML-CFT Decision, when conducting CDD on legal persons and arrangements, LFIs must collect the following information and verify it based on documents from a reliable and independent source:
• The name [this may not apply for legal arrangements], Legal Form and Memorandum of Association; • Headquarters’ office address or the principal place of business; in addition, if the legal person or arrangement is a foreign entity, the name and address of its legal representative in the State; • Articles of Association or any similar documents, approved by the relevant authority within the State; • Names of relevant persons holding senior management positions in the legal person or legal arrangement.
Legal persons and arrangements, by definition, cannot take action on their own and must be represented by a natural person. Therefore, for all legal persons and arrangements the LFI must verify that the individual acting on behalf of the customer is authorized to do so, and conduct CDD on that person as required by Article 8(a) of AML-CFT Decision.
In addition to the information described above, under Article 9 of AML-CFT Decision, the LFI must take reasonable measures to identify the beneficial owner(s) of all legal person and legal arrangement customers.
• For legal persons, LFIs must at least obtain and verify the identity of all individuals who, individually or jointly, have a controlling ownership interest in the legal person of 25% or more. If no individual can be identified, the LFI must identify the individual(s) holding the senior management position(s) within the legal person customer. • For legal arrangements, LFIs must verify the identity of the settlor and the trustee (or anyone holding equivalent positions for non-trust legal arrangements), the beneficiaries or class of beneficiaries, and any other individuals in control of the legal arrangement. LFIs must also obtain sufficient information on the beneficial owners of a legal arrangement to enable verification of the beneficial owner when paying trust funds to the beneficial owner, or when the beneficial owner begins to exercise his or her legally acquired rights. (This may take place, for example, when a beneficiary of a trust reaches his or her majority and takes full control and ownership of the trust funds.)
As stipulated by Article 10 of AML-CFT Decision, LFIs may omit collecting information from the customer to identify the beneficial owner of a legal person or arrangement customer only in two narrowly defined circumstances, which both apply to legal persons only:
a) The customer is a company listed on a regulated stock exchange and subject to disclosure requirements that ensure adequate transparency with regards to the customer’s beneficial owner(s); b) A subsidiary whose majority shares or stocks are held by the shareholders of the holding company.
In both cases, LFIs must still identify the beneficial owner(s) using reliable public sources. LFIs must also verify that the customer does in fact qualify for the exemption. LFIs remain responsible for using a risk-based approach and for ensuring that they understand their customer. LFIs should not seek to take advantage of this exemption if they cannot identify the beneficial owner(s) using reliable public sources. LFIs are unlikely to find reliable public information on the beneficial owners of privately-held holding companies.
In all cases, LFIs are also required by Article 8.4 of AML-CFT Decision to understand the customer’s ownership and control structure.
4.2. The Risk-Based Approach, Customer Risk Rating, and the Institutional Risk Assessment
LFIs should take a risk-based approach to the preventive measures they put in place for all customers, including legal persons and arrangements. A risk-based approach means that LFIs should dedicate compliance resources and effort to customers, business lines, branches, and products and services in keeping with the risk presented by those customers, business lines, branches, and products and services, as assessed in accordance with Article 4 of AML-CFT Decision.
The risk-based approach has three principal components:
1. Conducting an enterprise risk assessment, as required by Article 4.1 of AML-CFT Decision.
The enterprise risk assessment should reflect the presence of legal persons and arrangements in an LFI’s customer base. The risk assessment should consider the most common forms of legal persons and arrangements in the LFI’s customer base and should assess the risks of each form. This assessment should carefully consider and incorporate the ML/TF risks legal persons and arrangements pose to LFIs discussed above (section 2.1), although LFIs may have legal person and arrangement customers from outside the UAE whose risks will also need to be assessed. These assessments should in turn be reflected in the LFI’s inherent risk rating.
In addition, the LFI’s risk assessment should take into consideration the strength of the controls that the LFI has in place to mitigate the risks posed by its legal person and arrangement customers, including the preventive measures discussed below.
2. Identifying and assessing the risks associated with specific customers.
The LFI should assess the risk of each customer to identify those that require enhanced due diligence (EDD). Customer risk assessment for legal person and arrangements should incorporate at least all elements of the customer risk assessment for individuals, but should apply them both to the legal person or arrangement customer itself and to the individuals prominently associated with it. For example, the assessment of the legal person or arrangement’s jurisdictional risk should take into consideration not just the customer’s jurisdiction of establishment, but also the residence and nationality of the beneficial owners, senior manager, and directors.
Other risk assessment considerations that are unique to legal person and arrangement customers include:
• The legal form of the customer, and the controls in place to ensure transparency; • The status of the beneficial owners and senior management. For example, if a beneficial owner or senior manager of a customer is a PEP, as defined in Article 15 of AML-CFT Decision, the customer may also need to be treated as PEP, depending on the extent of the PEP’s ownership and control and his or her relationship to the other beneficial owners or managers.
3. Applying EDD and other preventive measures to customers the LFI determines to be higher-risk, as required by Article 4.2(b) of AML-CFT Decision, or to specific customer types, no matter their risk rating, as required by AML-CFT Decision.
Many EDD measures for legal persons and arrangements are the same as those applied to individual customers. EDD measures that are specific to legal person and arrangement customers are discussed in section 4.3 below.
Under AML-CFT Decision, the legal person customer types for which enhanced or special due diligence is required are:
• Legal persons based in high-risk countries (Article 22);
• Financial institutions with which the LFI proposes to enter into a correspondent relationship (Article 25);
• Legal person customers that are fully owned or controlled by PEPs, their direct family members, or their close associates (Article 15). If a PEP, a direct family member, or an associate is a partial owner of a customer, LFIs may take a risk-based approach to applying EDD to the customer.
• Non-Profit Organisations (Article 33).
4.3. Customer Due Diligence and Enhanced Due Diligence
CDD, and, where necessary, EDD are the core preventive measures that help LFIs manage the risks of legal person and legal arrangement customers. Because of this, LFIs are prohibited from maintaining anonymous accounts, and from onboarding any account or customer with fictitious names or characteristics. LFIs must perform CDD on every customer.
The goal of the CDD process is to ensure that LFIs understand who their customer is and the purpose for which the customer will use the LFI’s services. Therefore, the LFI must identify customers that are legal persons and legal arrangements. When the customer is a legal person or arrangement, the process of understanding the customer (“knowing your customer”) is more complex and requires additional steps.
Where an LFI cannot satisfy itself that it understands a legal person or legal arrangement-including when it has doubts that it has identified the individuals who truly own and control the legal person or legal arrangement—then it must not accept that legal person or legal arrangement as a customer. If there is an existing business relationship, the LFI should not continue it. LFIs should also consider filing a Suspicious Transaction Report, as discussed 4.4 below.
4.3.1. Core Elements of Customer Due Diligence
LFIs are reminded that all elements of CDD (and EDD) apply to customers that are legal persons and legal arrangements. LFIs should refer to the Guidelines on Anti-Money Laundering and Combating the Financing of Terrorism and Illicit Organizations for Financial Institutions for a full discussion of CDD obligations. CDD obligations include, but are not limited to, the requirement that LFIs, using a risk-based approach:
• Identify the customer and verify if the customer’s identity is reliable by using independent sources (discussed in this section); • Identify beneficial owners of the customer (discussed in section 4.3.2 below); • Assess and understand customer risk (discussed in section 4.2 above); • Obtain information on the purpose and intended nature of the account (discussed in section 4.3.3 below); and • Ensure ongoing due diligence is conducted and that the business relationship and transactions are scrutinized in the course of the relationship (discussed in section 4.3.4 below).
LFIs must maintain records of the customer information obtained through CDD to enable the LFI to demonstrate compliance to CBUAE and to comply with requests for information from competent authorities.
As discussed above in section 4.1, LFIs must identify legal person customers by collecting the following information and verifying it using independent, reliable sources:
• The name [this may not apply for legal arrangements], Legal Form and Memorandum of Association; • Headquarters’ office address or the principal place of business; in addition, if the legal person or arrangement is a foreign entity, the name and address of its legal representative in the State; • Articles of Association or any similar documents, approved by the relevant authority within the State; • Names of relevant persons holding senior management positions in the legal person or legal arrangement.
Verification of information collected to identify the customer should be risk-based. In standard cases, verification should rely on government-issued or certified documents, such as business licenses and notarized copies of the legal person’s memorandum of association. Where risks are lower, LFIs may consider using non-documentary sources, such as public registries, including the registries maintained by company registrars in the UAE. Consulting a registry, however, is not a replacement for collecting the documents specifically required by the AML-CFT Decision, even if the customer was required to submit the same documents to the registry.
4.3.2. Identification of Beneficial Owners and of Ownership and Control Structure
4.3.2.1. UAE Requirements
As discussed in section 4.1 above, the UAE requires all financial institutions to identify the beneficial owners of a legal person customer by obtaining and verifying the identity of all individuals who, individually or jointly, have a controlling ownership interest in the legal person of 25% or more. Where no such individual meets this description, the LFI must identify and verify the identity of the individual holding the senior management position in the entity.
The AML-CFT Decision does not define “senior management position,” and LFIs should make a judgment, based on the specific facts and circumstances, as to the individual who meets this description. The senior management official should be a single individual with significant responsibility to control, manage, or direct a legal person customer. This may include the entity’s Chief Executive Officer, Chief Financial Officer, Chief Operating Officer, Managing Director, General Partner, or President.
LFIs should consider whether the individual’s background, experience, and expertise make it plausible that they would indeed hold a position of responsibility at a legal person of the customer’s size. Where a customer identifies a relatively young or inexperienced individual as its senior manager, that may be a sign that the individual does not in fact control the customer and instead takes orders from another individual who wishes to obscure his or her identity.
For legal arrangement customers, LFIs must verify the identity of the settlor and the trustee (or anyone holding equivalent positions for non-trust legal arrangements), the beneficiaries or class of beneficiaries, and any other individuals in control of the legal arrangement.
The beneficial owner of a legal person or arrangement must be an individual. Another legal person or arrangement cannot be the beneficial owner of a customer, no matter what percentage it owns. LFIs must continue tracing ownership all the way up the ownership chain until it discovers all individuals who own or control at least 25% of the LFI’s customer.
When the LFI has identified qualifying beneficial owners, it should perform CDD on each individual beneficial owner, in accordance with the requirements of Article 8.1(a) of AML-CFT Decision. Where the customer is a UAE legal person, LFIs may require the customer provide the beneficial ownership report it has submitted to its company registrar as per Cabinet Decision (58). This should not be a substitute, however, for independent identification of beneficial owners by the LFI.
LFIs are also required to understand the customer’s ownership and control structure. This means that LFIs must be aware of who owns the customer, even if they have not verified the identity of the individuals owning every company in the customer’s ownership chain. LFIs should have confidence that they fully understand who has the power to direct and control their customer’s actions.
4.3.2.2. Applying a Risk Based Approach
It is important to note that the legal requirements mentioned above (section 4.3.2.1) are baseline obligations rather than definitions of beneficial ownership. A beneficial owner, as defined in AML-CFT Decision, is any individual who owns or controls all or part of a legal person. This means that a legal person can have several beneficial owners, not all of whom are required to be identified under the law. LFIs should always identify and verify the identity of all individuals owning or controlling at least 25% of a legal person, but they should also make a risk-based decision as to whether to identify and verify the identity of additional beneficial owners. For legal person customers that require EDD, whether as a function of law or because they are higher risk, LFIs should always consider lowering the ownership threshold below 25%.
LFIs should be aware that even minority owners of a legal person customer can exercise control over the legal person through information arrangements, family relationships, and specific governance arrangements (e.g. preferred stock), among other methods. Customers whose minority owners include individuals that are subject to United Nations or UAE sanctions may also create serious risks for LFIs, even if the individual only owns a small share of the customer (see section 4.5 below). Thus, particularly in higher risk scenarios, LFIs should consider completing an ownership and control chart that includes at least the names of all beneficial owners of every legal customer, or all individuals owning at least 5% of the customer. Collecting the names of beneficial owners is distinct from identifying them and verifying their identity and does not require the LFI to collect identifying information. LFIs must still identify and verify the identity of all individuals owning at least 25% of legal person customers.
Beyond lowering the ownership threshold, EDD methods related to identification of ownership and control can include requiring the beneficial owners of customers to verify their ownership by presenting share certificates or contracts.
Example 1: Company A is a UAE-based company that leases office space. Company A applies to open an account with Bank Lion, a CBUAE-supervised LFI. Bank Lion verifies that Company A is 50% owned by Mr. Y and 40% owned by Ms. W. Bank Lion is aware that Company A has additional owners, but knows they own less than 10% of Company A.
Because Company A is a low-risk domestic firm, Bank Lion is not required to identify the additional owners of Company A.
Example 2: Company B is a Cayman Islands-based company with no business operations and a letterbox address on the premises of a known Cayman Islands TCSP. Company B applies to open an account with Bank Lion, a CBUAE-supervised LFI. Bank Lion verifies that Company B is 50% owned by Mr. Y, a citizen of Russia and 40% owned by Ms. W, a citizen of Malta.
Company B is likely a shell company, and its known beneficial owners are from high-risk jurisdictions. Therefore, Bank Lion decides to take the step of identifying and verifying the identity of the individuals who owns the remaining 10% of the company before accepting Company B as a customer. It discovers that the remaining 10% of shares are owned by Mr. Y’s father, a well-known Russian businessman. Because Mr. Y is only 22 and a recent university graduate, Bank Lion suspects that Mr. Y is a nominee and that his father may be the true controlling owner of Company B.
4.3.2.3. Legal Persons – Common Situations
In many cases, identifying the beneficial owners of a legal person customer will be a straightforward process. A customer may be directly owned by one or two individuals:
In such cases, an LFI is obliged to identify and to verify the identity of both individuals, Mr. X and Ms. Y.
Legal persons may have more complex ownership structures, however, in which other legal persons are involved in the ownership chain. In such cases, LFIs must continue up the chain until they identify an individual:
In this situation, the owners of Company A are as follows:
Owner Share Ownership Type Mr. X 30% Direct Ms. Y 30% Direct Ms. E 28% Indirect - Ms E owns 70% of Company B, which in turn owns 40% of Company A Mr. D 12% Indirect - Mr. D owns 30% of Company B, which in turn owns 40% of Company A Mr. X, Ms. Y, and Ms. E must all be identified under UAE law, as they own at least 25% of Company A. Mr. D owns 12%, so he is not required to be identified. But the LFI should make a risk-based decision as to whether to identify him.
Illicit actors may seek to use complex ownership structures to hide the fact that they own 25% or more of the customer. This is why it is important for LFIs to use a risk-based approach and to be confident that, at the end of the process, they fully understand who controls their customer.
In this situation, although it at first appears that Ms. Y and Mr. X each own less than 25% of Company A, in fact between them they own 100% of the company. Their ownership interests can be calculated as follows:
Mr. X:
• 20% of Company B, which owns 40% of Company A: 20% of 40% is 8%; plus • 100% of Company E, which owns 75% of Company C, which owns 60% of Company A: 100% of 75% of 60% is 45%. • Mr. X owns 53% of Company A.
Ms. Y:
• 25% of Company C, which owns 60% of Company A: 25% of 60% is 15%; plus • 100% of Company D, which owns 80% of Company B, which owns 40% of Company A: 100% of 80% of 40% is 32%. • Ms. Y owns 47% of Company A.
Both Mr. X and Ms. Y must be identified under UAE law. In addition, LFIs should be aware that Mr. X and Ms. Y are likely associated parties and should question whether there is a legitimate economic purpose for the ownership structure of Company A.
4.3.2.4. Legal Arrangements - Common Situations
Legal arrangements may not present the layered ownership structures seen in legal persons. This does not mean, however, that identifying the beneficial owners of legal arrangements is always straightforward. In particular, the very different forms of legal arrangements that may be formed in different jurisdictions can make it difficult to identify the individuals who hold roles analogous to settlor, trustee, and beneficiary. LFIs should always identify the following individuals:
• The legal entities or individuals who have the power to control the property of the legal arrangements. These legal entities or individuals are analogous to trustees. If a legal entity (such as a financial institution) acts as trustee, LFIs must identify the beneficial owners of that legal entity. • The legal entities or individuals for whose present or future benefit the trustees are safeguarding the legal arrangement property. These legal entities or individuals are analogous to the beneficiaries. o Beneficiaries may be defined as a class which can change over time (e.g., “all the underage grandchildren of the settlor”). o LFIs should identify the class of beneficiaries, and all beneficiaries currently in existence, at the time of onboarding the customer. During periodic CDD refresh, they should ascertain whether additional identifiable individuals have joined or left the beneficiary class (e.g. a new child has been born, a beneficiary has come of legal age). o If a legal entity is the named beneficiary, LFIs must identify the beneficial owners of that legal entity. • The legal entities or individuals who assigned control of the legal arrangement property to the trustees (or individuals holding a similar position). This individual or legal entity is analogous to the settlor. A settlor may or may not retain underlying legal ownership of the legal arrangement property. If a legal entity acts as settlor, LFIs must identify the beneficial owners of that legal entity.
In addition, where trustees are financial institutions, lawyers or any other professional with secrecy rules in a foreign jurisdiction, it may be difficult to obtain the information LFIs need. LFIs should be aware that if they cannot obtain this information, they should not establish the business relationship or continue an existing relationship.
Legal arrangements may also be part of the ownership structures of other legal persons or arrangements. Because trusts do not have shares or equity, LFIs should treat all participants in a trust or similar legal arrangement as if they own 100% of the legal arrangement.
In the example above, Company A is 40% owned by Company B, which is in turn wholly owned by a trust established in the Isle of Jersey. Ms. Y and Mr. X are beneficiaries of the trust and also indirectly own shares of the Company A through Company C. Mr. X has to be identified and verified based solely on his indirect 45% ownership of Company A through Company E. Ms. Y and Mr. Z, must also be identified and verified because they are beneficial owners of a legal arrangement that owns 40% of Company A.
4.3.3. Understanding the Purpose of the Account and Nature of the Customer’s Business
For all customer types, LFIs are required to understand the purpose for which the account or other financial services will be used, and the nature of the customer’s business. This step requires the LFI to collect information that allows it to create a profile of the customer and of the expected uses to which the customer will put the LFI’s services. Because almost all legal persons and arrangements are created to make it easier to do business, invest assets, or engage in some form of organized activity, this element of CDD is critical to understanding customers who are legal persons and arrangements.
Legal persons and arrangements engage in an extremely wide variety of financial activity, potentially a wider variety than individual customers are likely to display. The activity profile of a cash-intensive business such as a taxi firm will be completely different from that of an investment vehicle or of a waqf that collects revenues from real property and distributes them to charitable causes. But specific legal person and arrangements customers are also likely to engage in patterns of activity that remain constant from month to month and year to year. Understanding the purpose of the account allows LFIs to develop expected patterns and compare them to actual behaviour. For example:
• A taxi company is likely to see substantial cash inflows and make regular, predictable transfers to cover payroll and to a limited set of suppliers (e.g. mechanics, gas stations). If a taxi company starts making transfers to a foreign jurisdiction, even a low-risk one, that behaviour may not fit the expected pattern and if so would require investigation. • A waqf managing an apartment building should receive very regular monthly rent payments from residents, whether by cash, check or Automated Clearing House. The waqf should have regular expenses for maintenance and property taxes, as well as predictable payments to the beneficiaries of the waqf. If the waqf suddenly doubles its cash deposits, the LFI will need to investigate to understand why the customer’s behaviour has changed.
Understanding the nature of the customer’s business can be a straightforward process. Most legal person customers will be engaged in familiar, easily identifiable activities in recognized sectors: manufacturing, retail, agricultural production, etc. In other cases, it may not be so simple. A legal person customer may be formed solely to facilitate a complex financial transaction. In other cases, the legal person may not have fully determined their business model or may plan to engage in a business activity that is out of keeping with the owners’ and managers’ resources and expertise, or that don’t seem to make economic sense. Finally, a customer may try to conceal its actual business; for instance, a company that is engaged in computer hacking and fraud may describe itself as a software engineering firm or a call centre.
As LFIs advance efforts to understand their customer’s business and financial activities, they should consider whether aspects of the customer profile require EDD. The following are some situations in which EDD may be appropriate:
• The customer has business or other ties to high-risk jurisdictions (if the customer or its beneficial owners are based in a high-risk jurisdiction, EDD is mandatory). • The customer is engaged in a high-risk sector. High-risk sectors can include, but are not limited to: o Sectors with high flows of cash; o Other financial sectors (e.g. customers who are MSBs or payment processors); o Sectors that involve the import or export of dual-use technology (technology that may be used for proliferation); o Sectors that are at high risk for human trafficking (bars and dance venues; construction; cleaning); o Charitable activities, especially those involving high-risk jurisdictions. • The customer is a state-owned-enterprise (SOE). SOEs engage in a wide variety of business activities; their close relationship to government and government officials means that they may be at higher risk for corruption-related transactions. • The customer intends to use high-risk financial products and services, such as bulk cash services or purchase and exchange of virtual assets. • The LFI does not fully understand the customer’s business model or activities. Customers that generate revenue, but that have no apparent business activities, are perhaps the highest risk.
When conducting EDD on the business activities and account use of legal persons and arrangements, LFIs should use techniques designed to manage the specific risks of the customer. These may include, but are not limited to:
• Requiring the customer to provide invoices documenting incoming and outgoing transfers; • Requiring the customer to provide its Economic Substance Report; • For customers operating in licensed sectors, requiring the customer to provide proof that it has a valid business license; • Inspecting payroll documents and other business records; • Visiting the customer’s business premises and interviewing its personnel; • Requesting a reference from a current customer or other well-known firm with which the new customer claims to do business, or which operates in the same sector as the new customer.
4.3.4. Ongoing Monitoring
Like all customers, legal persons and arrangements must be subject to ongoing monitoring throughout the business relationship. Ongoing monitoring ensures that the account or other financial service is being used in accordance with the customer profile developed through CDD during onboarding, and that transactions are normal, reasonable, and legitimate.
4.3.4.1 CDD Updating
LFIs are required to ensure that the CDD information they hold on all customers is accurate, complete, and up-to-date. This is particularly crucial in the context of legal person and arrangement customers, which, by their very nature, can change their fundamental identity overnight. With the stroke of a pen, a company engaged in a low-risk business and owned by reputable UAE residents can move its activities to a high-risk sector and can transfer ownership to nationals of a high-risk foreign jurisdiction.
LFIs should update CDD on legal person and arrangement customers on a risk-based schedule, with CDD on higher-risk customers being updated more frequently. EDD on all customers, including legal persons and arrangements, should involve more frequent CDD updates.
CDD updates should include a refresh of all elements of initial CDD, and in particular must ascertain that:
• The customer’s beneficial owners remain the same; • The customer continues to have an active status with a company registrar (this may not apply to legal arrangement customers); • The customer has the same legal form and is domiciled in the same jurisdiction; • The customer is engaged in the same type of business, and in the same geographies; • The customer’s transactions continue to fit its profile and business, and are consistent with the business the customer expected to engage in when the business relationship was established.
If any of the above characteristics have changed, the LFI should risk-rate the customer again.
The LFI should conduct EDD when the revised risk rating demands it or if the customer’s history of transactions is not consistent with its profile and with the expectations established at account opening. LFIs must always conduct EDD when this is required by law (a beneficial owner of the customer is a PEP, as defined in Article 15 of AML-CFT Decision, or the customer or its beneficial owner is domiciled in a high-risk jurisdiction).
LFIs may consider requiring that the customer update them as to any changes in its beneficial ownership. Even if this requirement is in place, however, LFIs should not rely on the customer to notify it of a change, but must still update CDD on a schedule appropriate to the customer’s risk rating.
4.3.4.2. Transaction Monitoring
As with all customers, LFIs must monitor activity by legal person and arrangement customers to identify behaviour that is potentially suspicious and that may need to be the subject of a Suspicious Transaction Report (see section 4.4 below). Legal persons, especially those that engage in commerce, are likely to engage a wider range of financial activity than are individual and most legal arrangement customers. This can make identifying suspicious behaviour by legal persons difficult.
As with other customer types, LFIs that use automated monitoring systems should apply rules that are designed to detect common typologies for illicit behaviour. When monitoring and evaluating transactions, the LFI should take into account all information that it has collected as part of CDD, including the identities of beneficial owners. For example, a series of transactions between two unconnected companies may not be cause for an alert. But if the companies are all owned or controlled by the same individual(s), the LFI should investigate to make sure that the transactions have a legitimate economic purpose.
Where possible, monitoring systems should also flag unusual behaviour that may indicate that a legal person customer’s business has changed—for example, a first transfer to or from a high-risk jurisdiction, or a large transaction involving a new counterparty. LFIs should follow up on such transactions with the customer to discover whether the customer has changed its business model in such a way as to require a higher risk rating.
A list of red flags for illicit behaviour involving legal persons and arrangements is provided in the Annex to this Guidance.
4.4. Suspicious Transaction Report Filing
As required by Article 15 of AML-CFT Law and Article 17 of AML-CFT Decision, LFIs must file a Suspicious Transaction Report (STR) with the UAE Financial Intelligence Unit (UAE FIU) when they have reasonable grounds to suspect that a transaction, attempted transaction, or certain funds constitute, in whole or in part, the proceeds of crime, is related to a crime, or is intended to be used in a crime. STR filing is not simply a legal obligation; it is a critical element of the UAE’s effort to combat financial crime and protect the integrity of its financial system. By filing STRs with the UAE FIU, LFIs alert law enforcement about suspicious behaviour and allow investigators to piece together transactions occurring across multiple LFIs.
In addition to the requirement to file an STR when an LFI suspects that a transaction or funds are linked to a crime, LFIs should consider filing an STR in the following situations involving legal persons or arrangements:
• A potential legal person or arrangement customer decides against opening an account or purchasing other financial services after learning about the LFI’s CDD requirements; • A current legal person or customer cannot provide required information about its business or its beneficial owners; • A legal person or arrangement customer cannot adequately explain transactions, provide supporting documents such as invoices, or provide satisfactory information about its counterparty; • The LFI is not confident, after completing CDD procedures, that it has in fact identified the individuals owning or controlling the legal person or arrangement. In such cases, the LFI should not establish the business relationship, or continue an existing business relationship, and should also consider filing an STR.
Please consult the CBUAE’s Guidance on Suspicious Transaction Reporting for further information.
4.5. Implementation of Targeted Financial Sanctions - Special Considerations for Legal Persons and Arrangements
Key Terms for Targeted Financial SanctionsAffiliate is an entity owned by another entity by more than 25% and less than 50% of its capital.
Controlling shareholder is a shareholder who has the ability to directly or indirectly influence or control the appointment of the majority of the Board of directors, or the decisions made by the board.
Listed Person is a person or organization listed by the UN Security Council on the Sanctions List, or listed by the Cabinet on Local Lists, as the case may be.
Subsidiary is an entity owned by another entity by more than 50% of its capital or under full control of that entity regarding appointment of the Board of Directors.
Legal persons can be included on international sanctions lists. In addition, the obligation to freeze the funds of a listed person, imposed by AML-CFT Decision and by articles 15 and 21 of Cabinet Decision (74) of 2020, extends to funds that a Listed Person owns or controls through ownership or control of a legal person or through a legal arrangement.
Listed individuals and legal persons are known to seek to evade sanctions by hiding their interest in a transaction via complex layers of control and ownership, through informal nominee arrangements, and through the assistance of complicit professionals. Listed Persons may also use front companies-companies mixing legitimate and illicit economic activity—to conceal their activities. For this reason, identification of beneficial ownership through the entire corporate ownership structure is critical for effective sanctions implementation, as is fully understanding the nature of the customer’s business.
LFIs that employ automated screening technologies to identify matches to sanctions lists must ensure that their screening tools include all individuals associated with a legal person customer, including beneficial owners, authorized signatories, directors, and senior management.
Legal persons and arrangements that are directly or indirectly (i) owned 50% or more in the aggregate, or (ii) controlled, by one or more Listed Person, including subsidiaries of a Listed Person, and entities where a listed person is a controlling shareholder, are subject to the same prohibitions as the Listed Person, even if such entities are not specifically listed by the UAE or the United Nations.
Financial institutions should observe caution when considering a transaction with an entity that is not a Listed Person in which one or more Listed Persons have a significant ownership interest that is less than 50 percent or which one or more Listed Persons may control by means other than a majority ownership interest. Such non-listed entities, to include affiliates, may become the subject of future designations or enforcement actions. As discussed above, LFIs should make a risk-based decision as to whether to identify beneficial owners who own or control less than 25% of the legal persona or arrangement. LFIs are not required to identify every beneficial owner in order to conduct sanctions screening. But should an LFI, in the course of enhanced due diligence, discover that a Listed Person owns a minority interest in a legal person, this information must be taken into consideration in risk-rating that customer.
Please see the Guidance on Targeted Financial Sanctions for more information on this issue.
LFIs should consult the CBUAE and the Supreme Council for National Security if they have any questions regarding implementation of UN or UAE sanctions. LFI employees must be trained on these issues as part of comprehensive ongoing training.
Example: Listed individual Ms. Y owns 25% of foreign Company A. Foreign Company A owns 30% of UAE Company B. Company B is a customer of UAE LFI Lion Bank. Ms. Y has no other ownership interests in Company B. Ms. Y therefore ultimately owns 7.5% of Company B.
Ms. Y’s minority interest may not in itself give her ownership or control Company B. But Lion Bank should also consider the following factors when determining whether Ms. Y exercises control over Company B:
• The other beneficial owners of Company B are known close associates of Ms. Y’s; and • Ms. Y has loaned Company B a sum equal to 100% of its operating revenue in the previous financial year, and under the terms of the loan agreement, if Company B does not repay the loan Ms. Y will acquire an additional 35% of Company B. .../....../...
When these factors are considered, it becomes likely that Ms. Y does in fact exercise control over Company B, despite her relatively small ownership stake, and transactions with Company B may therefore be prohibited under Cabinet Decision (20) of 2019.
Alternatively, if Company B operates in the high-tech manufacturing sector, and Ms. Y has been listed for proliferation activities, the LFI may conclude that the sanctions evasion risk posed by Company B is too great to permit accepting it as a customer, even if Ms. Y does not exercise control of the company. 4.6. Training
As will all risks to which the LFI is exposed, the AML/CFT training program must ensure that employees are aware of the risks of legal persons and arrangements, are familiar with the obligations of the LFI, and are equipped to apply appropriate risk-based controls.